CN102017572B - The method logged on for providing single service, equipment and computer program - Google Patents

Abstract

There is provided a kind of equipment comprising processor, described processor is arranged to: receive the request to access token (500) from remote entity, wherein this request comprises the instruction of institute's request service.Processor can be arranged to further: determine request type (510), wherein this request type can be user ID and password combination, request exchange of token or access token exchange.Processor can also be arranged to: extract one or more parameter (520) comprised in the request based on determined request type; And perform one or more security inspection (530) based on one or more extracted parameter at least in part.Processor can also be arranged to: the result at least in part based on one or more security inspection creates access token (540); And provide access token (550) to remote entity.

Description

The method logged on for providing single service, equipment and computer program

Technical field

Embodiments of the present invention relate generally to mobile communication technology, and more specifically, relate to method, equipment and the computer program for providing single service to log on for web and mobile device user.

Background technology

Modem communications era has brought wired and tremendous expansion that is wireless network.Computer network, TV network and telephone network are experiencing the unprecedented technical development driven by consumer demand.While providing the information transmission having more dirigibility and instantaneity, wireless and mobile networking technology has solved relevant consumer demand.

Current and following networking technology continues to be convenient to provide information transmission and convenience easily to user.Wherein require further improvement to user provide information transmission easily and easily field relate to: by the access of network authentication user to service.Some in these services generally can use a period of time for the user of personal computer and other computing equipments; But recently, due to the miniaturization of the high-power processor that uses in the sustainable development of wireless and mobile networking technology and processing power and mobile computing device and assembly, some in these services becomes available for mobile phone users.The example of these services comprises: Email, instant message transrecieving, multi-player gaming, end-to-end file transfer, web-browsing, social networks and photo trustship (hosting) etc.

These services may require that the user of mobile terminal and other computing equipments sets up user account, and use unique logging on to carry out certification to each service each use during service.Such as, user's comparison film trusteeship service of may having to carries out certification, so that the online photograph album of leading subscriber.When using photo trusteeship service, user may to wish in stores service upload pictures or access stores service the photo that stores for photo trusteeship service combined use.These stores service may require that user logged on stores service separately before use service.Thus, user may experience such setback: must remember multiple username and password, and logs on separately each service each use during service.

Although some existing service has been attempted solving this service and has been logged on problem, such as by providing single log at the Internet portal (this Internet portal is for providing the access to multiple service via the user of web browser access service) place, but the existing single scheme that logs on can not solve the following fact: computing equipment user can use various communication protocol to carry out access service by various application user interface on a variety of computing devices.In these services some they oneself during user's service conversation, representative of consumer can access other services.

Except the benefit by providing single service to log on can be suitable for user, ISP also can recognize some benefits, and wherein certification responsibility can be delegated to single administrative entity by public service authentication interface.In addition, this type of public service authentication interface can allow to use in the public library of application and service, and it can streaming service development and cost of development and provide the security of enhancing.

Thus, advantageously provide a kind of to user and provide the single system logged on, it allows, by being used in the multiple application interfaces using and multiple equipment of multiple communication protocol realize, to call multiple service.This type systematic can solve some shortcoming at least above-mentioned thus.

Summary of the invention

Thus, a kind of method, equipment and computer program are provided for supporting that the user to computing equipment provides single service to log on.Especially, a kind of method, equipment and computer program are provided for supports that the user of such as equipment logs on once, and for him to log in or the authorized multiple services used access in addition, and other log on information without the need to this user for using other services to input.Can receive due to account management supplier and respond the request received with multiple different agreement, the single service provided log on equipment be equipment and application independently.

In an illustrative embodiments, provide a kind of method, it can comprise: receive the request to access token from remote entity, and wherein this request comprises the instruction of institute's request service.The method may further include: determine request type, wherein this request type can be user ID and password combination, request exchange of token or access token exchange.The method may further include: extract one or more parameter be included in this request based on determined request type; And perform one or more security inspection based on this extracted one or more parameter at least in part.The method can also comprise: the result at least in part based on this one or more security inspection creates access token; And provide above-mentioned access token to this remote entity.

In another illustrative embodiments, provide a kind of computer program.This computer program comprises at least one computer-readable recording medium, and wherein this computer-readable recording medium has the computer readable program code part be stored therein.This computer readable program code part comprises: first, second, third, fourth, the 5th and the 6th program code sections.First program code sections is for receiving the request to access token from remote entity, and wherein this request comprises the instruction of institute's request service.Second can perform part is used for determining request type, wherein this request type can be user ID and password combination, request exchange of token or access token exchange.3rd can perform part for based on determined request type, is extracted in one or more parameter that this request comprises.4th can perform part at least in part based on this extracted one or more parameter, performs one or more security inspection.5th can perform part for the result at least in part based on this one or more security inspection, creates access token.6th can perform part for providing this access token to this remote entity.

In another illustrative embodiments, provide a kind of equipment, this equipment can comprise processor.Processor can be arranged to: receive the request to access token from remote entity, and wherein this request comprises the instruction of institute's request service.Processor can be configured for further: determine request type, wherein this request type can be user ID and password combination, request exchange of token or access token exchange.Processor can also be configured for: extract one or more parameter be included in this request based on determined request type; And perform one or more security inspection based on this extracted one or more parameter at least in part.Processor can also be configured for: the result at least in part based on this one or more security inspection creates access token; And provide this access token to this remote entity.

In another illustrative embodiments, provide a kind of equipment.This equipment can comprise: for receiving the device of the request to access token from remote entity, wherein this request comprises the instruction of institute's request service.This equipment may further include: for determining the device of request type, wherein this request type can be user ID and password combination, request exchange of token or access token exchange.This equipment can also comprise: for extracting the device of one or more parameter be included in this request based on determined request type.This equipment may further include: for performing the device of one or more security inspection at least in part based on this extracted one or more parameter.This equipment can also comprise: the device creating access token for the result at least in part based on this one or more security inspection.This equipment can also comprise: for providing the device of this access token to this remote entity.

Accompanying drawing explanation

Thus, describe embodiments of the present invention with general form, referring now to accompanying drawing, this accompanying drawing need not be drawn in proportion, and in the accompanying drawings:

Fig. 1 is the schematic block diagram of the mobile terminal according to exemplary embodiment of the invention;

Fig. 2 is the block diagram of the wireless communication system illustrated according to an illustrative embodiment of the invention;

Fig. 3 shows the block diagram for the system that provides single service to log on according to exemplary embodiment of the invention;

Fig. 4 shows the block diagram for the system that provides single service to log on according to another illustrative embodiments of the present invention;

Fig. 5 is the process flow diagram for the illustrative methods that provides single service to log on according to exemplary embodiment of the invention; And

Fig. 6 is the process flow diagram for the illustrative methods that provides single service to log on according to exemplary embodiment of the invention.

Embodiment

Hereinafter, more fully embodiments of the present invention are described referring now to accompanying drawing, shown in the drawings of the present invention some but and not all embodiments.In fact, the present invention can realize in various different formats, and it is not intended to form the restriction to the embodiment of illustrating at this; But, provide these embodiments so that the disclosure meets applicable legal requiremnt.Run through in full, element like similar reference number representation class.

Fig. 1 shows the block diagram of the mobile terminal 10 can benefiting from embodiment of the present invention.But, should be appreciated that shown and be only the demonstration of a kind of type electronic device benefiting from embodiment of the present invention at the mobile terminal after this described, therefore, should not be used for limiting the scope of embodiment of the present invention.Although illustrate for illustrative purposes and after this to describe multiple embodiments of electronic equipment, but the electronic equipment of other types also can adopt the present invention, the wherein electronic system of electronic equipment such as portable digital-assistant (PDA), pager, laptop computer, desk-top computer, game station, TV and other types.

As shown in the figure, mobile terminal 10 can comprise antenna 12, and it communicates with receiver 16 with transmitter 14.Mobile terminal can also comprise controller 20 or other processors, and it provides the signal going to transmitter and the signal received from receiver respectively.These signals can comprise the signaling information of the Wireless networking technologies according to the air-interface standard of applicable cellular system and/or the different of any amount, include but not limited to Wireless Fidelity (Wi-Fi), WLAN (WLAN) technology, such as IEEE 802.11, etc.In addition, the data that these signals can comprise speech data, user generates, the data of user's request, etc.At this point, mobile terminal can utilize one or more air-interface standard, communication protocol, modulation type and access style etc. to operate.More specifically, mobile terminal can operate according to the various first generation (1G), the second generation (2G), 2.5G, the third generation (3G) communication protocol, forth generation (4G) communication protocol etc.Such as, mobile terminal can operate according to 2G wireless communication protocol IS-136 (TDMA), GSM and IS-95 (CDMA).In addition such as, mobile terminal can operate according to 2.5G wireless communication protocol GPRS, EDGE etc.In addition, such as mobile terminal can operate according to 3G wireless communication protocol (such as UMTS, CDMA2000, WCDMA and TD-SCDMA).In addition, mobile terminal can also operate according to 3.9G wireless communication protocol (such as, LTE or E-UTRAN).In addition, such as mobile terminal can also operate according to forth generation (4G) wireless communication protocol etc. and at the similar wireless communication protocol of exploitation in future.

Some NAMPS and TACS mobile terminals can also benefit from embodiments of the present invention, and the phone (such as, digital-to-analog or TDMA/CDMA/ analog telephone) of bimodulus or more height mode is also like this.In addition, mobile terminal 10 can according to Wireless Fidelity (Wi-Fi) protocol operation.

Should be appreciated that, controller 20 can comprise the circuit needed for audio frequency and logic function realizing mobile terminal 10.Such as, controller 20 can be digital signal processor device, micro processor device, analog to digital converter, digital to analog converter etc.The control of mobile terminal and signal processing function can distribute betwixt according to these equipment ability separately.Controller can comprise internal voice coder (VC) 20a, internal digital modem (DM) 20b etc. in addition.In addition, controller can comprise the function operated one or more software programs that can store in memory.Such as, controller 20 can operate linker, such as Web browser.Linker can allow mobile terminal 10 according to the agreement of such as WAP (wireless application protocol) (WAP), HTML (Hypertext Markup Language) (HTTP) etc., transmits and receives web content (such as location-based content).Mobile terminal 10 can use transmission control protocol/Internet Protocol (TCP/IP) to cross over the Internet 50 and transmit and receive web content.

Mobile terminal 10 can also comprise user interface, and it comprises the conventional earphone or loudspeaker 24, ringer 22, microphone 26, display 28 and user's input interface etc. that are such as coupled to controller 20.Although not shown, mobile terminal can comprise battery for powering to the various circuit (such as, being provided as the circuit of the mechanical vibration that can detect output) relevant to mobile terminal.User's input interface can comprise the equipment allowing mobile terminal to receive data, such as keypad 30, touch display (not shown), control lever (not shown) and/or other input equipments.In the embodiment comprising keypad, keypad can comprise traditional numerical key (0-9) and relative keys (#, *), and/or for other keys of operating mobile terminal.

As shown in Figure 1, mobile terminal 10 can also comprise one or more for sharing and/or obtain the device of data.Such as, mobile terminal can comprise short-range radio frequency (RF) transceiver and/or inquisitor 64, thus can share data according to RF technology and electronic equipment, and/or obtains data from electronic equipment.Mobile terminal can comprise other short-range transceiver, such as infrared (IR) transceiver 66, bluetooth (Bluetooth ^tM) (BT) transceiver 68, it uses by bluetooth (Bluetooth ^tM) special interesting group exploitation bluetooth (Bluetooth ^tM) operation such as brand wireless technology.Bluetooth transceiving 68 can according to Wibree ^tMradio standard operates.At this point, mobile terminal 10 and particularly short-range transceiver to the electronic equipment transmitting data of (such as, in 10 meters) near mobile terminal, and/or can receive data from this electronic equipment.Although not shown, but mobile terminal can according to various Wireless networking technologies to electronic equipment transmitting data, and/or receiving data from electronic equipment, this Wireless networking technologies comprises the WLAN technology of Wireless Fidelity (Wi-Fi), such as IEEE 802.11 technology, and/or other.

Mobile terminal 10 can comprise storer, such as subscriber identity module (SIM) 38, removable user identity modules (R-UIM) etc., and it can store the cell about mobile subscriber.In addition to the sim, mobile terminal can also comprise other removable and/or read-only storages.At this point, mobile terminal can comprise volatile memory 40, such as volatile random access memory (RAM), and it can comprise the cache area temporarily stored for data.Mobile terminal can comprise other nonvolatile memories 42, and it can be Embedded and/or removable.Nonvolatile memory 42 can comprise EEPROM, flash memory etc.Storer can store one or more software program, instruction, many information, data etc., its can by mobile terminal use and function for performing mobile terminal.Such as, can comprise can the identifier of unique identification mobile terminal 10, such as international mobile equipment mark (IMEI) code for storer.

Referring now to Fig. 2, by means of example and provide without limitation a type can support be to and from the example that electronic equipment (such as, the mobile terminal of Fig. 1) carries out the system communicated.As shown in the figure, one or more mobile terminal 10 is each can comprise antenna 12, for transmitting a signal to base or base station (BS) 44 and for from its Received signal strength.Base station 44 can be an one or more honeycomb or mobile network's part, and each network can comprise the element of operation needed for this network, such as mobile switching centre (MSC) 46.As known to the skilled person, mobile network can also be called as base station/MSC/ interconnecting function (BMI).In operation, when mobile terminal 10 carries out with receipt of call, MSC 46 can route to and from the calling of mobile terminal 10.When calling relates to mobile terminal 10, MSC 46 can also be provided to the connection of landline trunk.In addition, MSC 46 can control the forwarding of the message to and from mobile terminal 10, and can control to and from messaging center, for the forwarding of the message of mobile terminal 10.Although it should be noted that showing MSC 46, MSC 46 is in the system of figure 2 only exemplary network device, and the invention is not restricted to use in the network adopting MSC.

MSC 46 can be coupled to data network, such as LAN (Local Area Network) (LAN), Metropolitan Area Network (MAN) (MAN) and/or wide area network (WAN).MSC 46 can couple directly to data network.But in an exemplary embodiment in which, MSC 46 is coupled to GTW 48, and GTW 48 can be coupled to the WAN of such as the Internet 50.Then, the equipment of such as treatment element (such as, personal computer, server computer etc.) can be coupled to mobile terminal 10 via the Internet 50.Such as, as described below, treatment element can comprise the one or more treatment elements be associated with computing system 52 (having illustrated two in Fig. 2) described below, source server 54 (having illustrated in Fig. 2) etc.

As shown in Figure 2, BS 44 can also be coupled to signaling GPRS (general packet radio service) support node (SGSN) 56.As known to the skilled person, SGSN 56 can perform the function being similar to MSC 46, for packet-switched services.Similar with MSC 46, SGSN 56 can be coupled to the data network of such as the Internet 50.SGSN 56 can couple directly to data network.Alternative, SGSN 56 can be coupled to packet switched core network, such as GPRS core net 58.Packet switched core network can be coupled to another GTW 48 then, such as GTW GPRS Support Node (GGSN) 60, and GGSN 60 can be coupled to the Internet 50.Except GGSN 60, packet switched core network can also be coupled to GTW 48.In addition, GGSN 60 can be coupled to messaging center.At this point, being similar to MSC 46, GGSN 60 and SGSN 56 can the forwarding of control message (such as MMS message).GGSN 60 and SGSN 56 can also control to and from messaging center, for the forwarding of the message of mobile terminal 10.

In addition, by SGSN 56 is coupled to GPRS core net 58 and GGSN 60, the equipment of such as computing system 52 and/or source server 54 can be coupled to mobile terminal 10 via the Internet 50, SGSN 56 and GGSN 60.At this point, the equipment of such as computing system 52 and/or source server 54 can be crossed over SGSN 56, GPRS core net 58 and GGSN 60 and communicates with mobile terminal 10.By by mobile terminal 10 and other equipment (such as, computing system 52, source server 54 etc.) be connected to the Internet 50 directly or indirectly, mobile terminal 10 such as can come with other devices communicatings according to HTML (Hypertext Markup Language) (HTTP) etc. and communicate with one another each other, performs the various functions of mobile terminal 10 thus.

Although do not illustrate in fig. 2, and do not describe each element of each possible mobile network at this, should recognize, it is one or more arbitrarily that the electronic equipment of such as mobile terminal 10 can be coupled in multiple heterogeneous networks by BS 44.At this point, network can support the communication according to any one or more agreements in multiple first generation (1G), the second generation (2G), 2.5G, the third generation (3G), forth generation (4G) and/or the mobile communication protocol in future etc.Such as, one or more network can be supported according to 2G wireless communication protocol IS-136 (TDMA), the communicating of GSM with IS-95 (CDMA).And such as, one or more network can be supported according to 2.5G wireless communication protocol GPRS, the communication strengthening data GSM environment (EDGE) etc.In addition, such as, one or more network can support the communication according to 3G wireless communication protocol, wherein Universal Mobile Telecommunications System (UMTS) network of 3G wireless communication protocol such as E-UTRAN or use Wideband Code Division Multiple Access (WCDMA) (WCDMA) wireless access technology.The transfer table (such as, digital-to-analog or TDMA/CDMA/ analog telephone) of some narrow-band analog mobile phones service (NAMPS) network and TACS network and bimodulus or more multimode also can have benefited from embodiments of the present invention.

As shown in Figure 2, mobile terminal 10 can also be coupled to one or more WAP (AP) 62.AP 62 can comprise and is configured to come according to such as following technology and mobile terminal 10 carries out the access point that communicates: radio frequency (RF), bluetooth (Bluetooth ^tM) (BT), any technology in infrared (IrDA) or multiple different interconnected with wireless network technology, wherein interconnected with wireless network technology comprises: WLAN (WLAN) technology, the Wibree of such as IEEE 802.11 (such as, 802.11a, 802.11b, 802.11g, 801.11n etc.) ^tMultra broadband (UWB) technology etc. of the WiMAX technology of technology, such as IEEE 802.16, Wireless Fidelity (Wi-Fi) technology and/or such as IEEE 802.15.AP 62 can be coupled to the Internet 50.Be similar to MSC 46, AP 62 and can couple directly to the Internet 50.But in one embodiment, AP 62 is indirectly coupled to the Internet 50 via GTW 48.In addition, in one embodiment, BS 44 can be regarded as another AP 62.Will appreciate that, by the arbitrary equipment in mobile terminal 10 and computing system 52, source server 54 and/or other equipment multiple is connected to the Internet 50 directly or indirectly, mobile terminal 10 can communicate each other, communicate with computing system, etc., perform the various functions of mobile terminal 10 thus, such as, data, content etc. be emitted to computing system 52 and/or receive content, data etc. from computing system 52.Term used herein " data ", " content ", " information " and similar terms can exchange use, and being used for representing can data being launched, receiving and/or storing according to the embodiment of the present invention.Thus, should by the restriction being used as spirit to embodiment of the present invention and scope of any this term.

Although not shown in Figure 2, mobile terminal 10 to be coupled to except computing system 52 and/or source server 54 except crossing over the Internet 50 or as an alternative, (LAN, WLAN, WiMAX, Wireless Fidelity (Wi-Fi), Wibree can also to be comprised according to such as RF, BT, IrDA or multiple different wired or wireless communication technology ^tMand/or UWB technology) in any technology, by coupled to each other to mobile terminal 10, computing system 52 and source server 54 with communicate.One or more computing system 52 additionally or alternatively can comprise removable storer, and it can store the content that can send mobile terminal 10 subsequently to.In addition, mobile terminal 10 can be coupled to one or more electronic equipment, such as printer, digital projector and/or other multimedia captures, generation and/or memory device (such as, other-end).Be similar to computing system 52, mobile terminal 10 can be configured to (comprise USB, LAN, Wibree according to such as RF, BT, IrDA or multiple different wired or wireless communication technology ^tM, Wi-Fi, WLAN, WiMAX and/or UWB technology) in any technology come communicate with portable electric appts.At this point, mobile terminal 10 can via short-range communication technology and other devices communicatings.Such as, mobile terminal 10 can carry out wireless, short-range communication with one or more equipment 51 being equipped with short-haul connections transceiver 80.Electronic equipment 51 can comprise any one in multiple distinct device and transducer, and it (can include but not limited to Bluetooth according to multiple different short-range communication technology ^tM, RFID, IR, WLAN, Infrared Data Association (IrDA) etc.) in any one, launch and/or receive data.Electronic equipment 51 can comprise any one in multiple different movement or static equipment, comprises the electronic equipment of other mobile terminals, wireless accessory, application, portable digital-assistant (PDA), pager, laptop computer, motion sensor, light-duty switch and other types.

Fig. 3 shows the block diagram of the system 300 providing single service to log on according to one exemplary embodiment.As used herein, " exemplary " only means example, and represents an example embodiment of the present invention thus, and should not think constriction scope of the present invention or spirit by any way.It should be noted that and except those, the present invention cover multiple potential embodiment except shown and described herein.Will for illustrative purposes, the mobile terminal 10 of constitutional diagram 1 and the system 47 of Fig. 2 carry out descriptive system 300.But, it should be noted that the system of Fig. 3 can also use with other equipment various (movement or fixing) are combined, and thus, embodiments of the present invention should not be limited to the application on the equipment of the mobile terminal 10 of such as Fig. 1.In addition, it should be noted that the system of Fig. 3 can the combined use with any one in various network configuration or agreement, and be not limited to the embodiment of system 47 aspect using Fig. 2.Although shall also be noted that Fig. 3 shows an example of the configuration of the system providing single service to log on, other configurations multiple can also be used for realizing embodiments of the present invention.

With reference now to Fig. 3, system 300 can comprise ISP 302, account management supplier 304 and client device 306.ISP 302 and account management supplier 304 can be embodied as the combination of any computing equipment or multiple computing equipment separately.At this point, ISP 302 and account management supplier 304 such as can be embodied as server or server cluster separately.The entity of system 300 can be communicated each other by communication link 308.These communication links can be any computer network architectures, the system 47 of such as Fig. 2, and can use the combination of any communication protocol or communication protocol, this agreement or its combination can promote the communication between devices between ISP 302, account management supplier 304 and client device 306.In addition, although system 300 only illustrates an ISP 302 and client device 306 for illustrative purposes, system 300 can comprise multiple ISP 302 and client device 306.

ISP 302 can provide service to long-distance user.As said, " service " can comprise data or other guide and service, such as, Email, instant message transrecieving, multi-player gaming, end-to-end file transfer, web-browsing, social networks, photo trustship, video trustship and other multimedia trusteeship services that can be accessed by remote computing device by network or communication link (such as communication link 308) and/or provide to remote computing device.At this point, serve and provide some function to user.In an illustrative embodiments, ISP 302 can comprise processor 310, service user interface 312, client certificate unit 314, storer 316 and communication interface 318.

Processor 310 can realize in a multitude of different ways.Such as, processor 310 can be implemented as microprocessor, coprocessor, controller or other treating apparatus various or element, comprise integrated circuit, such as ASIC (special IC) or FPGA (field programmable gate array).In an illustrative embodiments, processor 310 can be configured for perform and to store in processor 316 or in addition to the addressable instruction of processor 310.

Service user interface 312 can communicate with processor 310, to receive the instruction of request or the user's input received by communication interface 318, and/or provides visual, audible, mechanical or other outputs via communication interface 318 to user.The service that these outputs can user-friendlyly be provided by ISP 302 or mutual with it.Thus, can be provided to the subscriber equipment such as to client device 306 by communication link 308 such as can via communication interface 318 by the web page, GUI or other interactive devices that transmit for service user interface 312.At this point, service user interface 312 can be arranged to the service provision that process provides, and this service provision is provided to the user of certified client device 306 and to other ISPs that can transfer the service provided by ISP 302 by ISP 302.

Client certificate unit 314 can be implemented as hardware, software, firmware or some combination wherein, and can be implemented as or controlled by processor 310 in addition.Be located away from client certificate unit 314 in the embodiment of processor 310 realization, client certificate unit 314 can communicate with processor 310.Client certificate unit 310 can be arranged to and receive from client device 306 or the service access requests from another ISP (being collectively referred to as " requesting client ").Client certificate unit 310 can be arranged to structure further and send service attach request message to another ISP.In an illustrative embodiments, client certificate unit 310 can be arranged to the type of determining requesting client and the type for the client application of making request.In addition, client certificate unit 314 can be arranged to determine whether there is and log on session for requesting client and/or the existing of its user, such as following situation: requesting client or user were previously used for a not yet expired use session by client certificate unit 314 certification.

" service attach request message " can be instruction or request use or access the service provided by ISP 302, from any message of any remote equipment or other instructions.At this point, service attach request message can comprise one or more parameter.As used herein, " parameter " can comprise a mark indicators, the value comprising multidigit or instruction and the file that can be attached to or be included in message body or object.At this point, parameter can be included in message body, signature or message header.Service attach request message such as can comprise one or more following parameter: access token, the Hash of asking token, user ID, password, password, client key, client secret, token secret, service secret and service key.In addition, one or more in these parameters may be used for marking these information.In some embodiments, the parameter be included in service request information can meet OAuth agreement.

As used herein, term " access token " refers to the tuple with information, and it can be created in the mode further described at this by account management supplier 304.At this point, such as based on account management supplier 304 about accessing the determination of service provided by ISP 302, " access token " can be associated with the specific user of service or consumer and be used as the instruction that user allowed.Access token can indicate further or be associated with information in addition, and this information indicates the time of access authority or the degree of scope of such as user.Thus, access token can in use between, the usage quantity aspect of usable range and/or service is restricted.

As used herein, term " request token " refers to service binding to the tuple of authenticated user entities session.Request token such as can be provided to ISP 302 in service attach request message.Client certificate unit 310 then can be arranged to and fetch request token from message, and is provided to account management supplier to exchange access token.As used herein, " secret " refers to the secret of such as unique alphanumeric value and so on, and itself and client, service or token (also namely, " client is secret ", " serving secret " or " token secret ") are associated.Although be sometimes called separately " client key " and " service key " for illustrating object, this term is interchangeable and can be referred to as " client key ".In addition, although be sometimes called separately for illustrating object " client is secret " and " service is secret ", this term exchanges and can be referred to as " client is secret ".

Client certificate unit 310 can be arranged to further to fetch or extracts (such as, by resolving) parameter from service attach request message.At this point, client certificate unit can be arranged to the parameter using and extract from service attach request message, to construct and send token information request message and/or create access token request message.Token information request message refers to such message, and it can be directed to account management supplier 304, ask the information about access token, and this information is such as received by ISP 302 in service attach request message.Create access token request message and refer to such message, it is such as directed to the account management supplier 304 that request creates and submits access token in the exchange of the access token for first submit or in the exchange for request token.Thus, client certificate unit 310 can be arranged to further receive from account management supplier 304 access token and token information message.

Client certificate unit 314 can be arranged to the access token that certification has received further.At this point, the ISP that client certificate unit 314 can be arranged to access token that checking received and user, client device 306 and/or carry out service access requests is associated, and verifies that access token is still effective.The validity of checking access token can comprise such as verifies that access token is not yet expired, such as owing to exceeding time restriction or the access times that are awarded are used up.Client certificate unit 314 can be arranged to and perform this checking by the device of any amount, such as, the parameter received and the parameter received in token information message is compared in service access requests.Additionally or alternatively, client certificate unit 314 can be arranged to and carry out certification access token by computational security key and/or Hash.These calculating can based on the parameter received in service access requests and/or token information message.In addition, in order to the object of certification, value as calculated and the parameter received in service access requests and/or token information message can be compared.The result that client certificate unit 314 can be arranged to further based on access token certification determines the rank that user accesses.Therefore client certificate unit 314 can be arranged to and communicate with service user interface 312, to provide instruction the user of institute's request service to be accessed to the instruction of rank.

In some embodiments, client certificate unit 314 can according to suitable authentication protocol, via web browser application (also referred to as " client web browser application ") performed on client device 306, provide user authentication to the user accessing the service provided by ISP 302.In some embodiments, the authentication protocol of use can according to security assertion markup language (SAML) standard.But, embodiments of the present invention be not limited to use SAML, and it should be noted that this discuss in use SAML part, web agreement, language or standard that another is suitable can be used.At this point, client certificate unit 314 can be arranged to and such as log in (also referred to as " logining " or " logging on ") information via web page interface user, and be arranged to the authentication request utilizing and be encoded to parameter, web browser application is redirected to account management supplier 304.Client certificate unit 314 can be arranged to the web browser application received from account management supplier 304 further and be redirected, and it can comprise SAML pseudomorphism (artifact).In some embodiments, client certificate unit 314 can be arranged to and send to account management supplier 304 message comprising SAML pseudomorphism, request account management supplier 304 resolves pseudomorphism, and the SAML received from account management supplier 304 states in response to this request.SAML statement can comprise for the account identification of the known client of ISP 302 or its instruction and request token.Client certificate unit 314 can be arranged to command service user interface 312 further: according to the access permission of the user determined by client certificate unit 314, and the web browser application to client provides the Service home page of certified user.

Storer 316 can comprise such as volatile memory and/or nonvolatile memory.Storer 316 can be arranged to storage information, data, application, instruction etc., performs the various functions according to exemplary embodiment of the invention for support equipment.Such as, storer 316 can be arranged to the input data that buffer memory is processed by processor 310.Additionally or alternatively, storer 316 can be arranged to the instruction storing and performed by processor 316.In addition, another is alternative is, storer 316 can be one of multiple databases of the information storing static state and/or multidate information form, and described information is such as associated with mobile-terminal text information, the Internet service context information, user status indicators, User Activity etc.At this point, storer 316 can store such as received message, the parameter extracted from received message, about the information of registered service-user and/or the information about registered clients equipment 304.The information stored can be used for performing its corresponding function by service user interface 312 and/or client certificate unit 314.

Communication interface 318 can be implemented as with any equipment of hardware, software, firmware or its array configuration realization or device, be arranged to and receive data from network and/or any other equipment communicated with ISP 302 or module, or for sending data to it.Communication interface 318 can be implemented as or controlled by processor 310.At this point, communication interface 318 can comprise such as antenna, transmitter, receiver, transceiver and/or for support via communication link 308 and other entities of system 300 carry out the support hardware that communicates or software.Thus, via communication interface 318 and communication link 308, ISP 302 can communicate with account management supplier 304 and/or client device 306.At this point, communication interface 318 can communicate with storer with service user interface 312, client certificate unit 314.Communication interface 318 can be arranged to and use any networking protocol to communicate with the remote equipment of system 300.In the exemplary embodiment, communication interface 318 can be arranged to and use HTML (Hypertext Markup Language) (HTTP) security extension (such as, Transport Layer Security (TLS) or Secure Socket Layer (SSL) (SSL)) to communicate.Communication interface 318 can be arranged to transmission further and receive formulates the request of form, data and message according to various web agreement, this various web agreement is HTML (Hypertext Markup Language) (HTML), extend markup language (XML) and/or its Security Extensions such as, such as security assertion markup language (SAML).

With reference now to the account management supplier 304 of Fig. 3, account management supplier 304 can be used as the warehouse about the data of registered service-user, and can comprise account identification and the password of the multiple storages be associated with the user of registered service thus, it such as can be stored in storer 326.At this point, account management supplier 304 can store the data of the user about multiple registered service, and each registered service-user can be associated with multiple account identification (such as, user's name and password combination, each combination be associated from different service).Account management supplier can manage or communicate with multiple ISP 302 in addition, to provide single service to log on and centralized user authentication manager.In the exemplary embodiment, account management supplier 304 can comprise processor 320; For determining the device of request type, for extracting the device of one or more parameter comprised in the request based on the request type determined, for performing the device of one or more security inspection, and for creating the device of access token, such as token creation unit 322; Token authentication unit 324; Storer 326; And for receiving the device of the request for access token, and for providing the device of access token to remote entity, such as communication interface 328.

Processor 320 can realize in a multitude of different ways.Such as, processor 320 can be implemented as microprocessor, coprocessor, controller or comprises other treating apparatus of kind or the element of integrated circuit, such as ASIC (special IC) or FPGA (field programmable gate array).In an illustrative embodiments, processor 320 can be arranged to perform be stored in processor 326 or to the addressable instruction of processor 320.

Token creation unit can be implemented as any equipment or device that realize with software, hardware, firmware or its combination, and can be implemented as by processor 320 or is controlled by it.Token creation unit 322 can be arranged to and create access token and/or request token, such as in response to token request (being called " creating access token request message ").At this point, token creation unit 322 can be arranged to receive and create access token request message, and this message is such as from ISP 302 or client device 306.Token creation unit 322 can be arranged to the type such as determining to create access token request based on the parameter comprised in the request of establishment access token.Create access token request type and can comprise such as user ID and password combination, wherein access token can create based on received user ID and/or password; Request exchange of token, wherein access token can based on receives and asks token and creating; And access token exchanges, wherein access token can create based on received access token, and this access token can be previously created or issued by token creation unit 322.Thus, token creation unit 322 can be arranged to and be extracted in based on determined request type one or more parameter creating access token request and comprise.These parameters such as can comprise, the Hash of one or more user ID, password, client key, client access token that is secret, that previously issue and request token.

Token creation unit 322 can be arranged to and use the parameter extracted to perform one or more security inspection, so that authentication request user or client.Such as, the user data stored in the parameter extracted and storer 326 can compare by token creation unit 322.At this point, token creation unit 322 can verify that extracted user ID and password are known, and corresponds to each other.Additionally or alternatively, token creation unit 322 can be arranged to, checking client mark (such as the mark of request service supplier 302 or client device 30), association between user ID and the service of asking.Additionally or alternatively, token creation unit 322 can be arranged to the signature that checking is creating access token request message and comprises.Additional or alternatively, token creation unit 322 can be arranged to checking further and extract the association between the secret and institute's request service of request token, client key, client.In addition, additionally or alternatively, token creation unit 322 can be arranged to checking the previous issue of having extracted access token, associated token is secret, client is secret and association between institute's request service.In addition, token creation unit 322 can be arranged to and perform security inspection based on the data be stored in storer 326, and wherein these data can indicate and the predefined clearance level of asking user or client to be associated.

Based on performed security inspection, token creation unit 322 can be arranged to the user based on being associated with request, the institute's request service be associated with the request of establishment access token and/or requesting client equipment 306 create the access token that the service with restriction accesses authority, such as certain content or the degree of serving the access supplied, rights of using or restriction, time expiration, multiple permission uses, the user of multiple license and/or the instruction of the permitted user that is associated, one or more service of being associated is (for described service, access token can be used) instruction, and/or other similar authority or constraints.At this point, some request user or client can than other users or client more " credible ", and this is, believable user or believable client can have more services than common user or client and use or access authority.Such as, if photo trusteeship service and music trusteeship service are separately as attempting the client using memory device, photo trusteeship service can be more more credible than music trusteeship service, and the higher rights of using be endowed memory device, such as, based on required storage space or in addition based on the storage space of respective request service request, or the consideration of knowledge based Property Rights aspect, this consideration is improved by music trusteeship service by storing potential infringement music file in stores service.

Token creation unit 322 can be arranged to request in response to receiving for resolving (resolve) SAML pseudomorphism and request to create token further.In addition, token creation unit 322 can be arranged to provides created access token or request token to request service supplier 302 or client device 306.Thus, the access token created or request token such as can send as the parameter in message to request entity by token creation unit 322, or are provided for remote entity access or the device that create token of downloaded stored on account management supplier 304 (such as in storer 326).Token authentication unit 324 can be implemented as any equipment or device that are realized by hardware, software, firmware or its combination, and can be implemented as processor 320 or controlled by processor 320.Token authentication unit 324 can be arranged to and receive token information request message from ISP 302.Token information request message can comprise access token, and in some embodiments, the service secret that token information request message may further include service key and is associated with ISP, wherein receives token information request message from this ISP.In some embodiments, token information request message comprises service key and service is secret, and service key and service secret can be included in signature, and token information requestor message utilizes this signature and is labeled.Token authentication unit 324 is arranged to checking thus in access token, association between service key and service secret.This checking can based on such as having issued the database accessing key or can be stored in other access keys in storer 326.

Thus, token authentication unit 324 can be configured to determine one or more in user ID, token secret and the client secret that is associated with access token.User ID, token secret and client secret such as can be stored in storer 326 with the instruction of access token explicitly.At this point, the user ID that token authentication unit 324 is determined is the user ID for the known user of ISP 302 or client, receives token information request from this ISP 302.This user ID can from user or client different for the account identification that account management supplier 304 is known, and the known user ID of ISP beyond request service supplier 302 can be different from.Thus, token authentication unit 324 can be arranged to further, sends message in response to token information request message to ISP 302, this message comprise in fixed user ID, client key and token secret one or more.

Storer 326 can comprise such as volatile memory and/or nonvolatile memory.Storer 326 can be arranged to storage information, data, application, instruction etc., performs various functions according to an illustrative embodiment of the invention for support equipment.Such as, storer 326 can be arranged to the data of buffer memory for being processed by processor 320.Additionally or alternatively, storer 326 can be arranged to the instruction storing and performed by processor 326.At this point, storer 326 can store such as received message, the parameter extracted from received message, the information about registered account user, registered ISP and/or the information about registered clients equipment 304.The information stored can be used by token creation unit 322, and/or is used for performing its corresponding function by token authentication unit 324.

Communication interface 328 can be implemented as with any equipment of hardware, software, firmware or its array configuration realization or device, be arranged to and receive data from network and/or any other equipment communicated with account management supplier 304 or module, or for sending data to it.Communication interface 328 can be implemented as processor 320 or is controlled by processor 320.At this point, communication interface 328 can comprise such as antenna, transmitter, receiver, transceiver and/or for support via communication link 308 and other entities of system 300 carry out the support hardware that communicates or software.Thus, via communication interface 328 and communication link 308, account management supplier 304 can communicate with ISP 302 and/or client device 306.At this point, communication interface 328 can communicate with storer 326 with token creation unit 322, token authentication unit 324.Communication interface 328 can be arranged to and use any networking protocol to communicate with the remote equipment of system 300.In the exemplary embodiment, communication interface 328 can be arranged to and use HTML (Hypertext Markup Language) (HTTP) security extension (such as, Transport Layer Security (TLS) or Secure Socket Layer (SSL) (SSL)) to communicate.Communication interface 328 can be arranged to transmission further and receive formulates the request of form, data and message according to various web agreement, this various web agreement is HTML (Hypertext Markup Language) (HTML), extend markup language (XML) and/or its Security Extensions such as, such as security assertion markup language (SAML).

With reference now to the client device 306 of Fig. 3, client device 306 can be any computing equipment, and user can access this computing equipment or use the service provided by ISP 302.In some embodiments, client device 306 can be the mobile terminal 10 of Fig. 1.But client device 306 is not limited to this scope, and can be implemented as such as desk-top computing equipment, lap-top computing devices and personal digital assistant.In addition, illustrate only single client device 306 in figure 3 although it should be noted that, multiple client device 306 can be comprised within the system 300.In an illustrative embodiments, client device 306 can comprise processor 330, application user interface 332, communication interface 334 and storer 336.

Processor 330 can be realized by multitude of different ways.Such as, processor 330 can be implemented as microprocessor, coprocessor, controller or comprises other treating apparatus various or the element of integrated circuit, such as ASIC (special IC) or FPGA (field programmable gate array).In an illustrative embodiments, processor 330 can be configured for perform in storer 336 store or to the addressable instruction of processor 330.That in the embodiment of mobile terminal 10, processor 330 can be implemented as controller 20 at client device 306.

Application user interface 332 can be implemented as software, hardware, firmware or its combination, and can be implemented as or controlled by processor 330.Application user interface 332 can be implemented as or comprises any application, and this application is convenient to access and/or use the service provided by ISP 302.At this point, application user interface 332 can be such as proprietary application, such as photo client upload device, e-mail applications, game application, multimedia player application etc.Additionally or alternatively, application user interface 332 can be implemented as or comprises common application, the web browser application accessing and/or use the service that ISP 302 provides by network is such as supported.The application that application user interface 332 can also be embodied as or comprise web browser application plug-in, script and/or can be disposed in a distributed way by network.Application user interface 332 can be arranged to the instruction receiving the user's input carried out for application user interface 332 further, is such as undertaken by keyboard, mouse, control lever, touch-screen display, traditional monitor, microphone, loudspeaker or other input/output means.Such as, application user interface 332 can be arranged to the input of the request of reception, this request be for using service, carry out alternately with service and such as user's name and password slip into information.In addition, the user that application user interface 332 can be arranged to client device 306 provides audio/visual to export.At this point, the request that can comprise data, service, content, message and/or receive from ISP 302 and account management supplier 304 is exported.

Communication interface 334 can be implemented as any equipment or device that are realized by hardware, software, firmware or its array configuration, be arranged to and receive data from network and/or any other equipment communicated with client device 306 or module, or for sending data to it.Communication interface 334 can be implemented as processor 330 and controls or controlled by processor 330.At this point, communication interface 334 can comprise such as antenna, transmitter, receiver, transceiver and/or for support via communication link 308 and other entities of system 300 carry out the support hardware that communicates or software.Thus, via communication interface 334 and communication link 308, client device 306 can communicate with ISP 302 and/or account management supplier 304.At this point, communication interface 334 can communicate with storer 336 with application user interface 332.Communication interface 334 can be arranged to and use any networking protocol to communicate with the remote equipment of system 300.In the exemplary embodiment, communication interface 334 can be arranged to and use HTML (Hypertext Markup Language) (HTTP) security extension (such as, Transport Layer Security (TLS) or Secure Socket Layer (SSL) (SSL)) to communicate.Communication interface 334 can be arranged to transmission further and receive formulates the request of form, data and message according to various web agreement, this various web agreement is HTML (Hypertext Markup Language) (HTML), extend markup language (XML) and/or its Security Extensions such as, such as security assertion markup language (SAML).

Storer 336 can comprise such as volatile memory and/or nonvolatile memory (such as, being in the embodiment of mobile terminal 10 at client device 306, is volatile memory 40 and nonvolatile memory 42).Storer 336 can be arranged to storage information, data, application, instruction etc., performs the various functions according to exemplary embodiment of the invention for support equipment.Such as, storer 336 can be arranged to the input data that buffer memory is processed by processor 330.Additionally or alternatively, storer 336 can be arranged to the instruction storing and performed by processor 330.At this point, storer 336 such as can store user account information, such as user ID and any password be associated for account management supplier 304 and/or multiple ISP 302.In some embodiments, in this account management information some or all can store with the form of cookie, its web browser application access that can be comprised by application user interface 332 or use.Storer can store the access token received from account management supplier 304 further.The information stored can be used by application user interface 332.

With reference now to Fig. 4, show the embodiment more specifically of system 300.The system of Fig. 4 comprises client web browser application 400, photo service 402, account management supplier 304, stores service 406 and photo client application 408, and it can via the network interconnection illustrated.At this point, photo service 402 and stores service 406 represent the embodiment of ISP 302, and it provides photo trustship and access service and photo storage service respectively.Client web browser application 400 and photo client application 408 are illustrative embodiments of application user interface 332, and can realize in same client equipment 306 or in the client device 306 be separated.With reference now to the system of Fig. 4 and a kind of use-case situation of the entity description of system 300.This use-case situation is only provided for object is shown, and not will be understood that by any way for limiting as follows: entity, service, communication protocol or the sequence of operation described in use-case situation.

Use the user of photo client application 408 may wish to access the photograph album at photo service 402 place.Photo client application 408 needs access token to access album-service 402, and can obtain the access token from account management supplier 304.Photo client application 408 can construct thus and create access token request message.This message can be set to XML format, and can comprise for the known user ID of account management supplier 304 and user cipher.Photo client application 408 can fetch user ID and password from storer (such as, storer 336), or user can be pointed out to input user ID and password.Photo client application can use client key and client secret to mark establishment access token request message then.Key and signature can transmit in http header.Create access token request message then to be sent to account management supplier 304 by TLS HTTP connection (https).

The token creation unit 322 of account management supplier 304 can be determined then, receive access token request message request type be user ID and password combination, and it is secret to extract user ID, password, client key and client from establishment access token request message.During performing security inspection process based on institute extracting parameter, token creation unit 322 can authentication of users mark and password and client key; Create access token request message signature and in client identification, association between user ID and photo service.Assuming that token creation unit 322 is correctly verified create access token request message, token creation unit 322 can create access token, and it is associated with asking the authen session of user, photo service 402 and token secret.Token creation unit 322 can send to photo client application 408 message comprising access token and token secret then.Photo client application 408 can use received access token to access photo service 402 now.

In response to the request from user, photo client application 408 can construct the message to photo service 402 upload pictures then.Being used by photo client application 408 can based on any interface and communication protocol with the interface mutual with photo service 402 and communication protocol, photo service 402 and photo client application 408 are arranged to and use this interface and communication protocol, and thus and be subject to the restriction of embodiments of the present invention never in any form.But usually, photo client application 408 such as can construct message, any associated data of exercise question that this message comprises access token, one or more photo files, photograph album identifier and is such as associated with photo files.Photo client application 408 can utilize the combination that is secret and token secret of its client to come information signature, and signature, access token and client key are inserted message header.At this point, the part that access token not only can be used as the token in message body but also can be used as in sender's key, to mark message.Thus, access token may be used for overcoming the security vulnerabilities be associated with client application key, and long-life client key and client secret can obtain from client device 306 with hacker's means, token key and token secret are by account management supplier 304 stochastic generation and issue, and are relatively short-life.Photo client application then can such as by using HTTP to send photo upload message to photo service 402.

Photo service 402 can receive photo upload message from photo client application then, and fetches the access token comprised in the message.Now, photo service 402 can not know the user of the photo service be associated with access token, and can construct token information request message thus, and sends it to account management supplier 304.Photo service 402 can utilize the service key of himself and service secret to mark message.Message can send according to TLS.Once receive token information request message, account management supplier 304 can perform multiple verification step, such as verifies the association between the service secret that access token, service key and token information request message comprise.The token authentication unit 324 of account management supplier 304 can determine user ID then, and (it is known for photo service 402, be associated with access token, token secret and client key, for acquisition access token), and construct token information message (comprising user ID, token secret and client key), and send token information message to photo service 402.

Once receive token message, the client certificate unit 314 of photo service 402 can extract the parameter be included in token information message, and the client key received in verifying the photo upload message that the client key that receives in token information message is matched with from photo client application 408.Photo service 402 can verify the signature in photo upload message then, and can verify which user be associated with access token still has the access permission of upload pictures.Photo service 402 can use stores service 406 for storing upload pictures.For photo service 402, in order to transfer stores service 406, photo service 402 needs suitable access token.Thus, photo service 402 can construct and create access token request message, and this access token request message comprises the instruction of access token and the stores service 406 received from photo client application 408, and such as the dns name of stores service 406 claims.Photo service 402 can utilize service secret and access token secret, marks establishment access token request message, and sends establishment access token request message to account management supplier.This message such as can send according to tls protocol.

Create access token request message once receive, then the token creation unit 322 of account management supplier 304 can determine that request type is that access token exchanges, and from access token, service secret and token secret that message extraction had previously been issued.Token creation unit 322 can be verified then in access token, association between token key and service secret.Token creation unit 322 can verify that the user or client that are associated with received access token and/or photo service 402 have the license to accessing stores service 406 further.Assuming that token creation unit 322 correctly demonstrates create access token request message and the license to access stores service 406, as the past, token creation unit 322 can create access token, and by it with the authen session of request user, with stores service 406 and be associated with token secret.Token creation unit 322 then can send to photo service and comprise the new access token of establishment and the message of token secret.

Once receive the message of the account management supplier 304 from the message comprising the new access token created, then photo service 402 can create the preservation file message comprising new access token and photo files.The combination of the token secret that photo service 402 can utilize the service of himself secret and new, preservation file message is marked, its service key, new access token and signature such as can be inserted HTTP authorisation header by photo service 402, and send preservation file message to stores service 406.The client certificate unit 314 of stores service 406 can parse access token from received preservation file message then, and structure comprises the token information request message of resolved access token.The client certificate unit 314 of stores service 406 utilizes stores service key and stores service secret to sign to token information request message then, and uses such as TLS to send token information request message to account management supplier 304.

Once receive token information request message, then account management supplier 304 such as can perform multiple verification step as in the past, and such as, checking is included in the association between access token, service key and service secret in token information request message.The token authentication unit 324 of photo management supplier 304 can be determined to be associated with access token, token secret and photo service key to the known user ID of stores service 406 (to note then, in the case, an ISP is calling second service supplier, the first service supplier of such as photo service serves as client, and especially photo service key is equal to client key), this photo service key is used to obtain access token; And construct token information message (comprising user ID, token secret and photo service key), and send token information message to stores service 406.

The client certificate unit 314 of stores service 406 then can pass through the photo service key be included in preservation file message and compare from the photo service key received in the token information message of account management supplier 304, verifies it.The client certificate unit 314 of stores service 406 by using token secret and photo service secret, can verify the signature preserved in file message.If stores service correctly demonstrates preservation file message, then stores service 406 can use user ID, determines in which account storage space for storing the picture data being contained in and preserving in file message.

After a period of time, user may wish to organize its online photograph album, and thus can by the web interface (such as can be provided by the service user interface 312 of photo service 402) using client web browser application 400 to browse photo service 402.If there is no user conversation (such as in the case where there: client web browser application 400 realizes on the client device being different from photo client application 408, or previous log ins session is expired), the service user interface 312 of photo service 402 can apply 400 to client web browser provides login form.User can input suitable log-on message then, and the client certificate unit 314 of photo service 402 can utilize the authentication request being encoded to URL parameter, web browser application 400 is redirected to the authentication request end points of account management supplier 304.Account management supplier 304 then can authentication of users log-on message, and utilizes SAML pseudomorphism as parameter, and client web browser application is redirected to photo service 402.Client certificate unit 314 can send request the message for the treatment of S AML pseudomorphism then to account management supplier 304.Account management supplier 304 can utilize SAML to state then and request token responds, and this SAML statement comprises for the known user account mark of photo service 402.The service user interface 312 of photo service 402 can apply to client web browser the homepage that 400 provide user now, and this homepage such as can comprise the link of the photograph album going to user.

User then can clickthrough to access one of its photograph album.Photo service 402 may need to fetch multiple photo files from stores service 402 now.Photo service 402 needs access token thus, and structure creates access token request message (be included in the instruction of request token and the stores service 406 received in SAML statement, such as the dns name of stores service 406 claims).Photo service 402 can utilize photo service key and photo service secret to mark establishment access token request message, and sends this message by TLS to account management supplier 304.

The request type that the token creation unit 322 of account management supplier 304 can determine to create access token request message is then request exchange of token, and extracts request token, photo service key (being equal to the client key for transferring stores service object) and photo service secret (client be equal to for transferring stores service object is secret).Token creation unit 322 based on extracted parameter, can verify the signature creating access token request message then, and the association between checking request token photo service key and photo service secret.Assuming that token creation unit 322 correctly demonstrates create access token request message, then token creation unit 322 can create access token, and by its be used for asking the authen session of user, with stores service 406 and be associated with token secret.Token creation unit 322 can send to photo service 402 message comprising access token and token secret then.

Photo service 402 can construct acquisition file message then, comprises received access token, the file name of asking and photo service key.Photo service 402 can utilize its photo service secret and token secret to mark acquisition file message, and sends this message to stores service 406.As in the past, stores service 406 from message extraction parameter, and can construct token information request message, and sends this token information request message to account management supplier 304.Again, as in the past, account management supplier 304 can verify access token, and utilizes token information message response stores service 406.As in the past like that, stores service 406 can use the parameter be included in token information message, and checking acquisition file message, and determines how by being used in the user ID that receives in token information message and suitably access user file.

Fig. 5 and Fig. 6 is the process flow diagram of system according to one exemplary embodiment, method and computer program product.Should be appreciated that the combination of each block diagram in process flow diagram or step and process flow diagram Block Diagrams can be realized by various device, such as hardware, firmware and/or comprise the software of one or more computer program instructions.Such as, one or more process described here can be realized by computer program instructions.At this point, the computer program instructions realizing said process by the memory device for storing of mobile terminal, server or other computing equipments, and can be performed by processor built-in in computing equipment.Be to be understood that, this type of computer program instructions any can be loaded on computing machine or other programmable devices (are also, hardware) upper to generate machine, thus the instruction performed on computing machine or other programmable devices creates for performing the function performed in FB(flow block) or step.These computer program instructions can also be stored in computer-readable memory, it can guide computing machine or other programmable devices to operate in a specific way, thus the instruction be stored in computer-readable memory generates a kind of product, comprising the command device realizing the function of specifying in process flow diagram block diagram or step.Computer program instructions can also be loaded on computing machine or other programmable devices, to make to perform sequence of operations step on computing machine or other programmable devices, to produce computer implemented process, thus the instruction performed on computing machine or other programmable devices is provided for the step of appointed function in realization flow figure block diagram or step.

Thus, the block diagram of process flow diagram or step support perform the device of appointed function combination, perform the combination of the step of appointed function and perform the combination of computer instruction device of appointed function.Should also be noted that, block diagram in one or more block diagram of process flow diagram or step and process flow diagram or the combination of step, can be realized by special hardware based computer system (this computer system performs appointed function or step) or the combination of specialized hardware and computer instruction.

At this point, figure 5 illustrates according to an exemplary embodiment of the present invention, it shows the illustrative methods providing single service to log on from the angle of account management supplier.The method can be included in operation 500 place and receive establishment access token request message from remote entity, and it has the instruction of institute's request service.Operation 510 can comprise, and account management supplier determines the type of asking.At this point, request type can be user ID and password combination, request exchange of token or access token exchange.In operation 520, account management supplier based on determined request type, can extract one or more parameter from establishment access token request message then.Operation 530 can comprise, and account management supplier, at least in part based on the parameter that one or more extracts, performs one or more safety inspection.In operation 540, account management supplier based on the result of one or more safety inspection, can create access token then.Operation 550 can comprise, and account management supplier provides access token to request remote entity.

Fig. 6 shows illustrative methods for providing single service to log on according to an exemplary embodiment of the present invention from ISP's angle.First with reference to figure 6a, operation 600 can comprise reception service access requests, such as receives from subscriber equipment or from another ISP.Operation 605 can comprise, and determines whether service access requests receives from web browser application.If request is not obtain from web browser application, then method can advance to the operation 620 of Fig. 6 b.Operation 620 can comprise, and fetches access token from service attach request message.ISP at operation 625 place structure token information request message, and can send token information request message at operation 630 place to account management supplier then.Operation 635 can comprise: ISP receives token information message from account management supplier.Operation 635 can comprise: ISP receives the token information message from account management supplier.At operation 640 place, ISP based on the information obtained in token information message, can carry out signature and the client key of service for checking credentials access request message then.If ISP correctly demonstrates service attach request message, then method can advance to the operation 615 of Fig. 6 a, and wherein ISP based on the certification level of requesting client and access protocol ability, can provide asked service.

Refer again to Fig. 6 a, if at operation 605 place, ISP determines that service attach request message receives from web browser application, then at operation 610 place, ISP can determine whether there is and log on session for the single of requesting client.Singlely log on session if existed, then at operation 615 place, ISP can client-based certification level and access protocol ability, provides asked service.If there is no log on session, then the method can advance to the operation 645 of Fig. 6 c.At this point, operation 645 can comprise: receive user login information, and utilizes the authentication request being encoded to parameter, and client web browser application is redirected to account management supplier.At operation 650 place, the client web browser application that ISP can receive then from account management supplier is redirected, during wherein SAML pseudomorphism is included in and is redirected.Operation 655 can comprise: ISP sends message to account management supplier, and request account management supplier resolves this SAML pseudomorphism.At operation 660 place, the SAML that ISP can receive then from account management supplier states, it comprises account identification and the request token of requesting client.ISP at operation 665 place, can provide the Service home page of user then to client web browser application.

With reference now to Fig. 6 d, carry out interaction user and service, at operation 670 place, ISP can receive request that apply from client web browser, that require to transfer second service.At operation 675 place, ISP can construct the establishment access token request message comprising request token then, and sends establishment access token request message at operation 680 place to account management supplier.ISP can receive access token from account management supplier in operation 685 then, and then sends to second service supplier the service attach request message comprising access token at operation 690 place.Second service supplier (can be described the) above to it for the first service supplier as requesting client from the operation 600 of Fig. 6 a then.

Above-mentioned functions can realize in every way.Such as, any suitable devices for performing one of above-mentioned functions can be used, to realize embodiments of the present invention.In one embodiment, all or part of element operates under control of a computer program product usually.Computer program for the method performing embodiments of the present invention comprises computer-readable recording medium (such as, non-volatile memory medium), and computer readable program code part (the series of computation machine instruction such as, realized in a computer-readable storage medium).

Thus, embodiments of the present invention can provide multiple advantage to the user of computing equipment (such as, mobile terminal 10).Such as, single service can be provided to log on to the user of subscriber equipment, it allows user to use various service, and only requires to log on single service.At this point, what account management supplier can manage and be convenient between user and multiple service is mutual.Embodiments of the present invention provide convenient to ISP with the form of common application storehouse and interface further, and it may be used for authentication purpose, can manage supplier simultaneously process for the certification of multiple ISP by central account.In addition, embodiments of the present invention can provide equipment and apply independently single service and log on, and account management supplier can receive and in response to the request received in multiple different agreement, and whole single logging on is associated with asking user, can maintain or associate and log on session, even if user uses Another Application or computing equipment to perform subsequent service request, is also like this.In addition, embodiments of the present invention can provide enhancing security, by using short-life access token, to protect the data and content and user account that are provided by ISP.

Having under being benefited of the instruction that presents in above instructions and relevant drawings, to those skilled in the art, various amendment of the present invention and other embodiments can be expected.It should be noted that embodiments of the present invention are not limited to disclosed embodiment thus, and amendment is intended to be included in the scope of appended claims with other embodiments.In addition, although above instructions and relevant drawings describe illustrative embodiments in the context of the particular exemplary combination of element and/or function, should be appreciated that the various combination that element and/or function can be provided by alternate embodiment, and do not depart from the scope of appended claims.At this point, such as, some content of appended claims is also intended to illustrate the various combination except the above-mentioned element expressed and/or function.Although be employed herein particular term, it be not only for limiting object for general and descriptive mode use.

Claims (14)

1. the method for communicating, comprising:

Receive the request to access token from remote entity, wherein said request comprises the instruction of institute's request service;

Determine the request type of received request, wherein determined request type is in following item: the combination of user ID and password, request exchange of token or access token exchange;

One or more parameter be included in described request is extracted based on determined request type;

One or more security inspection is performed at least in part based on one or more parameter described in extracted;

Result at least in part based on one or more security inspection described creates access token; And

Described access token is provided to described remote entity,

Wherein extract based on determined request type one or more parameter be included in described request to comprise:

If determined request type is the combination of user ID and password, then extract user ID, password Hash and comprise the signature of client key and client secret;

If determined request type is request exchange of token, then extract request token and the signature comprising client key and client secret; Or

If determined request type is access token exchange, then extract the access token previously issued and the signature comprising client secret and token secret,

Wherein said client secret is the secret be associated with client, and described token secret is the secret be associated with token.

2. method according to claim 1, wherein performs one or more security inspection based on one or more parameter described in extracted at least in part and comprises:

If determined request type is the combination of user ID and password, then verify that the Hash of described user ID and described password is known and relative to each other corresponding, verify described signature, and checking is in client identification, association between user ID and institute's request service;

If determined request type is request exchange of token, then verify described signature, and checking is in described request token, association between client key and client secret; Or

If the request type determined described is that access token exchanges, then verify described signature, and checking is in the access token of described previous issue, the association between token secret and client secret.

3. method according to claim 1 and 2, wherein performs one or more security inspection based on one or more parameter described in extracted at least in part and comprises further: verify that described remote entity has the mandate of the service to access described request.

4. method according to claim 1 and 2, wherein create access token based on the result of one or more security inspection described at least in part to comprise: create the access token be associated with user and institute's request service, and create the token secret be associated with described access token

Wherein said token secret is the secret be associated with token.

5. method according to claim 1 and 2, wherein create access token based on the result of one or more security inspection described at least in part to comprise: create the access token with defined access permission, wherein said defined access permission comprise following in one or more: described access token can make for for the service of being associated of one or more access, one or more user be associated, described access token effective operating period and described access token to its effective access times.

6. method according to claim 1 and 2, wherein said remote entity is one in client device or ISP.

7. method according to claim 1 and 2, after providing described access token to remote entity, comprises further:

Receive token information request message from described remote entity, wherein said token information request message comprises described access token, and wherein said token information request message utilizes service key and serves secret and be labeled;

Verify described access token, association between described service key and described service secret;

Determine that the user ID, token secret and the client that are associated with described access token are secret; And

The message comprising determined user ID, client key and token secret is sent to described service,

Wherein said client secret is the secret be associated with client, and described token secret is the secret be associated with token.

8. the equipment for communicating, comprising:

For receiving the device of the request to access token from remote entity, wherein said request comprises the instruction of institute's request service;

For determining the device of the request type of received request, wherein determined request type is in following item: the combination of user ID and password, request exchange of token or access token exchange;

For extracting the device of one or more parameter be included in described request based on determined request type;

For performing the device of one or more security inspection at least in part based on one or more parameter described in extracted;

The device of access token is created for the result at least in part based on one or more security inspection described; And

For providing the device of access token to described remote entity, the wherein said device for extracting comprises:

If for the combination that determined request type is user ID and password, then extract user ID, password Hash and comprise the device of signature of client key and client secret;

If be request exchange of token for determined request type, then extract the device of the signature of asking token and comprise client key and client secret; Or

If be access token exchange for determined request type, then the device of the access token extracting previously issue and the signature comprising client secret and token secret,

Wherein said client secret is the secret be associated with client, and described token secret is the secret be associated with token.

9. equipment according to claim 8, the wherein said device for performing comprises:

If for the combination that determined request type is user ID and password, then verify that the Hash of described user ID and described password is known and relative to each other corresponding, verify described signature, and checking is at the device of client identification, association between user ID and institute's request service;

If be request exchange of token for determined request type, then verify described signature, and checking is at the device of described request token, association between client key and client secret; Or

If be that access token exchanges for the described request type determined, then verify described signature, and checking is at the device of the access token of described previous issue, the association between token secret and client secret.

10. equipment according to claim 8 or claim 9, the wherein said device for performing comprises: for verifying that described remote entity has the device of the mandate of the service to access described request.

11. equipment according to claim 8 or claim 9, the wherein said device for creating access token comprises: for creating the device of the access token be associated with user and institute's request service, and for creating the device of the token secret be associated with described access token

Wherein said token secret is the secret be associated with token.

12. equipment according to claim 8 or claim 9, the wherein said device for creating access token comprises: for creating the device of the access token with defined access permission, wherein said defined access permission comprise following in one or more: described access token can make for for the service of being associated of one or more access, one or more user be associated, described access token effective operating period and described access token to its effective access times.

13. equipment according to claim 8 or claim 9, wherein said remote entity is one in client device or ISP.

14. equipment according to claim 8 or claim 9, comprise further:

For receiving the device of token information request message from described remote entity, wherein said token information request message comprises described access token, and wherein said token information request message utilizes service key and serves secret and be labeled;

For verifying the device of described access token, association between described service key and described service secret;

For determining the device of the user ID, token secret and the client secret that are associated with described access token; And

For sending to described service the device comprising the message of determined user ID, client key and token secret,

Wherein said client secret is the secret be associated with client, and described token secret is the secret be associated with token.